Merge "security group denies TCP flows when chassis-snat is enabled"

dragonflow/controller/apps/chassis_snat.py

@@ -162,6 +162,7 @@ class ChassisSNATApp(df_base_app.DFlowApp, snat_mixin.SNATApp_mixin):
         self._install_snat_ingress_after_conntrack(
                                         lport.unique_key,
                                         lport.mac,
+                                        lport.lswitch.unique_key,
                                         self.external_host_mac)
 
     def remove_lport_based_flows(self, lport):

dragonflow/controller/apps/snat_mixin.py

@@ -209,6 +209,7 @@ class SNATApp_mixin(object):
     def _install_snat_ingress_after_conntrack(self,
                                               unique_key,
                                               vm_mac,
+                                              network_id,
                                               external_host_mac):
         """complements reverse sNAT translation from unique IP to tenant IP
 
@@ -236,12 +237,13 @@ class SNATApp_mixin(object):
             parser.NXActionRegMove(
                             src_field='ct_label',
                             dst_field='ipv4_dst',
-                            n_bits=32)
+                            n_bits=32),
+            parser.OFPActionSetField(metadata=network_id),
                    ]
         action_inst = parser.OFPInstructionActions(
             ofproto.OFPIT_APPLY_ACTIONS, actions)
         goto_inst = parser.OFPInstructionGotoTable(
-            const.INGRESS_DISPATCH_TABLE)
+            const.INGRESS_DESTINATION_PORT_LOOKUP_TABLE)
         inst = [action_inst, goto_inst]
 
         self.mod_flow(

dragonflow/tests/fullstack/test_snat_flows.py

@@ -12,6 +12,7 @@
 from oslo_config import cfg
 
 from dragonflow.controller.common import constants as const
+from dragonflow.db.models import l2
 from dragonflow.tests.common import utils
 from dragonflow.tests.fullstack import test_base
 from dragonflow.tests.fullstack import test_objects as objects
@@ -26,13 +27,15 @@ class TestSnatFlows(test_base.DFTestBase):
         return SNAT_APP_NAME in cfg.CONF.df.apps_list
 
     def _check_port_based_flows(self,
-                                flows, hex_port_key, external_host_mac, mac):
+                                flows, hex_port_key,
+                                hex_lswitch_key, external_host_mac, mac):
         match = 'ct_mark=' + hex_port_key + ',ip'
         action = 'set_field:' + external_host_mac + '->eth_src' \
             ',set_field:' + mac + '->eth_dst' \
             ',load:' + hex_port_key + '->NXM_NX_REG7[]' + \
             ',move:NXM_NX_CT_LABEL[0..31]->NXM_OF_IP_DST[]' + \
-            ',goto_table:' + str(const.INGRESS_DISPATCH_TABLE)
+            ',set_field:' + hex_lswitch_key + '->metadata' + \
+            ',goto_table:' + str(const.INGRESS_DESTINATION_PORT_LOOKUP_TABLE)
 
         port_based_ingress = None
         for flow in flows:
@@ -82,9 +85,12 @@ class TestSnatFlows(test_base.DFTestBase):
             exception=Exception('No port assigned to VM')
         )
         port_key = port.unique_key
+        network_key = network.nb_api.get(
+            l2.LogicalSwitch(id=network_id)).unique_key
         r = self._check_port_based_flows(
             ovs.dump(self.integration_bridge),
             hex(port_key),
+            hex(network_key),
             external_host_mac,
             mac)
         for key, value in r.items():